But then I also do not see a real solution to this problem (other
than rewriting and/or copying large chunks of code...)
I'm afraid I agree. The problem is that the current structure is oriented
around analyzers (1) seeing the beginning of a connection and using it to
initialize state, and (2) consuming the input one packet at a time. What's
instead needed is a structure by which analyzers are initialized at a
current point in the input stream, and consume new stream elements in
quantized chunks (so they can say, for example, "I consumed 204 bytes out
of the current stream, do what you will with the next [which may include
calling me again]").
This is a fairly pressing need - for example, to analyze backdoors detected
by the backdoor analysis - but unfortunately I think it will quite a bit
of work. There's some analysis in Bro already that's somewhat along these
lines - the way that RPCs are interpreted regardless of whether they're
from TCP or UDP connections, and the MIME interpreter that Ruoming Pang
contributed - but those don't have the full set of elements needed to serve
as a ready template for doing this.
Vern